AML: HMRC flexes enforcement muscle to the tune of £7.8 million
International transfers of personal data are instantaneous and constant. Everyday business functions such as uploading data files to the cloud or sending emails potentially involve transferring personal data across international borders. This is particularly relevant in today’s global economy where business functions are often outsourced overseas for operational and cost efficiencies. Our previous blog on this topic confirmed that, following Brexit, the UK will be a ‘third country’ for the purposes of international transfers of data under the GDPR, which could have serious implications on the practicalities of legally transferring personal data from the EU to the UK. This blog updates the position and examines the possible outcomes of the on-going Brexit negotiations on the transfer of personal data from the EU to the UK.
On 14 November 2018, the UK government published a draft withdrawal agreement (governing the terms of the UK’s departure from the EU), Article 71(1) of which anticipates a transition period for the continued application of EU data protection law (i.e. the GDPR) for the processing of the personal data of individuals resident outside the UK, provided that the personal data: (a) was processed under EU law in the UK before the end of the transition period; or (b) is processed in the UK after the end of the transition period on the basis of the withdrawal agreement. However, the continued application of EU data protection law merely affirms the current position that personal data may only be transferred to third countries (such as the UK after Brexit) if the European Commission (the “Commission”) has provided that country with an adequacy decision or, in the absence of an adequacy decision, either certain safeguards are adopted in relation to the transfer or a specific derogation can be relied upon (see our previous blog for more details).
Fortunately, according to Article 71(2), the transitional arrangements referred to above will fall away if the Commission makes an adequacy decision essentially affirming that the UK’s processing of personal data provides a satisfactory level of protection to EU-based individuals. This would mean there is no need for reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK, which will result in minimal disruption to business continuity. However, it’s worth noting that adoption of the draft withdrawal agreement by the UK Parliament and EU leaders does not guarantee the provision of an adequacy decision for the UK, although it would seem to be in all parties’ interests for the Commission to implement an adequacy decision in the event of the UK and the EU striking a Brexit deal.
Even if the UK receives an adequacy decision, the draft withdrawal agreement reminds us that it is not permanent and could be repealed by the EU after one of its periodic reviews of the UK’s data protection laws post-Brexit. If an adequacy decision ceased to apply for any reason then Article 71(3) requires the UK to “ensure a level of protection of personal data essentially equivalent to that under EU law…” Onerous as this may seem, it is not a commitment for the UK to maintain and apply the GDPR (which is currently incorporated into domestic law, irrespective of Brexit, by the Data Protection Act 2018), rather we will have some discretion as to how we implement data protection law albeit curtailed to some extent by the withdrawal agreement. However, irrespective of how we tinker with our domestic data protection law, the absence of an adequacy decision for the UK means reliance on safeguards or derogations in order for personal data to be transferred from the EU to the UK which, as you will note below, is as good as having no deal in place!
On 25 November 2018, a summit of EU leaders unanimously approved the terms of the draft withdrawal agreement. However, if the UK Parliament fails to approve the draft withdrawal agreement, resulting in a no deal Brexit, the Commission has expressly stated that the adoption of an adequacy decision is not part of its contingency planning. EU member states do not have the power to unilaterally grant adequacy decisions to third countries as approval from representatives of all EU member states is required. This effectively rules out the possibility of the UK concluding bilateral agreements with member states on the international transfer of personal data where EU law applies.
A no deal Brexit therefore suggests an extended period of reliance on the safeguards and derogations referred to above in order to legally transfer personal data from the EU to the UK. As you will note from our previous blog, reliance on these measures to govern all transfers of personal data from the EU to the UK is likely to be cumbersome in practice, partly given the rigid nature of the Standard Contractual Clauses (SCCs) (in so far as they must be adopted entirely and without amendment to their legal effect) and the magnitude of the task presented by establishing legally sound Binding Corporate Rules from a time and resource perspective. Also noteworthy is that the validity of SCCs is under consideration by the European Court of Justice as questions have arisen over whether they satisfy the standards of care required by the more recent GDPR.
It’s currently unclear as to whether the UK Parliament will approve the draft withdrawal agreement (and early signs are certainly not positive) and, even if it is approved, we will need to wait and see if the UK will receive an adequacy decision during the transitional period of Brexit. The only certainty we have at this point is that a no deal Brexit means reliance on the safeguards and derogations in order to legally transfer personal data from the EU to the UK. If your business is reliant upon such data transfers from the EU, it would be advisable to consider putting in place contingency plans for a no deal Brexit by preparing for the use of appropriate safeguards and/or derogations.
We chat to immigration specialists in Spain, Germany, France and Italy on what British citizens in those countries should be doing now. August/September 2019Click here to listen
5 September 2019READ MORE
20 August 2019READ MORE
30 August 2019READ MORE
5 August 2019Read more
29 August 2019Read more
9 May 2019READ MORE
1 February 2019Read News Item
29 January 2019READ MORE
23 January 2019Rebecca Niblock blogs
November 2018 - In this podcast Gillian Brownlee and Felicity Woof discuss the new EU Settlement Scheme which at the time of recording (in November 2018) is due to go live on 30 March 2019.Listen to the podcast
Our Public Law team blogs about secondary legislation and Brexit.View the blog series
19 September 2018Read the blog
20 September 2018READ MORE
31 August 2018Read the blog
14 August 2018Read the blog
9 August 2018Read the blog
30 July 2018 - Hanging over this year’s Tour de France, at least for this British cycling fan, was the realisation that this is probably the last Tour pre-Brexit, and so there is an additional level of uncertainty about what the 2019 post-Brexit edition will look like.Read the blog
16 July 2018 - A question you may ponder as you relax on that sunlounger in the weeks ahead is whether you need to review your arrangements for any EU based property in light of Brexit.Read the blog
9 July 2018 - Two Solicitor friends of mine recently asked me to sign their applications to register with the Law Society of Ireland. I asked them if they were thinking of moving.Read Blog Post
18 June 2018View Tweet
11 July 2018Read Blog Post
29 March 2018 - As avid golfers focus their attention on the US Masters in Augusta Georgia next month, many at the 19th Hole will be pondering the impact of Brexit on their beloved game.Read the blog
22 March 2018 - The House of Commons Library published a Briefing Paper on 7 March 2018 outlining the language testing requirements imposed upon healthcare professionals who qualified outside of the UK.Read Blog Post
5 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact horse racing and all who are part of it.Read Blog Post
21 March 2018 - The UK is home to a myriad of sports employing foreign nationals and receiving investments from overseas companies. Learn how Brexit will impact motor racing and all who are part of it.Read Blog Post
17 April 2018View Tweet
19 March 2018View Tweet
10 July 2018 - No sooner are we one year into the new regime under the Money Laundering Regulations 2017 than a further EU instrument has been adopted.Read Blog Post
27 June 2016View on YouTube
Skip to content Home About Us Insights Services Contact Accessibility